Utilities firms play a key role in the UK’s critical national infrastructure (CNI), and as such are regulated by the new NIS Directive. Yet for most of the past year, government experts have issued alerts over nation state attacks, and repeated warnings about a major tier one incident. Thanks to vulnerabilities in legacy operational technology, as well as newer IoT and cloud-based systems, some alarm certainly appears justified.
But as MPs warn that the Government needs to act with greater urgency to mitigate cyber risk in CNI, there’s much that utilities firms can do themselves. Efforts should start with the Domain Name System (DNS): an overlooked layer of infrastructure which could provide a great early warning system for stopping threats.
Threats from nation state actors have put utilities firms on high alert. According to UK cyber security authorities, they have a “sustained presence in UK and US internet infrastructure”, and have been described as “almost state level” cyber crime gangs. The risks include customer data breaches, IP theft and service outages forced by ransomware. But the one politicians are most concerned about is a concerted, destructive nation state attack of the sort that left hundreds of thousands of Ukrainians without power in December 2015 and 2016.
As utilities firms look to embrace digital transformation, they risk bringing online and exposing operational technology (OT) systems in facilities and plants that are hard-to-patch and systemically insecure. Modern IoT technologies, whilst driving improved customer service and efficiencies, also expand the cyber attack surface, making the security challenge more difficult to grapple.
Focus on security
Managing these cyber risks become a matter of national security. But it’s also vital to driving business operations, retaining customers, keeping costs down and staying on the right side of regulators. The NIS Directive mandates 72-hour notifications of serious incidents and can levy fines of up to £17 million or 4% of global annual turnover-enough to get the attention of most boardroom leaders.
Yet historically, the sector has perhaps been slow to adopt best practices. Utilities are the least likely of any vertical (42%) to have undertaken action on five or more of the government’s 10 Steps to Cyber Security guidance, for example.
Why DNS matters
The answer could lie with DNS. In most firms, it runs quietly in the background, converting domain names to IP addresses to allow employees to find the websites they’re looking for on the wider web and to direct external web users to your pages and apps. But how many IT bosses know it’s also used at some point in most cyber attacks?
Because it’s often whitelisted by firewalls, and yet contains vulnerabilities stemming from its open design, DNS is ripe for exploitation by attackers. This could be to smuggle stolen data out of the organisation, direct users to phishing sites, communicate with infected machines or help deploy malware. But because it’s such an important part of your online infrastructure, it’s also a great place to plug in security defences.
Nominet has been running critical infrastructure in the form of the .uk domain for over two decades and now securely manages 37 top-level domains (TLDs). We therefore know exactly what’s required to provide the protection needed to manage cyber risk in such environments, while complying with the NIS Directive.
Our NTX platform spots even single malicious packets hidden inside large quantities of legitimate enterprise data. It provides unprecedented visibility into current and emerging threats and the ability to shut down attacks before they’ve had a chance to impact your organisation. Available in two versions, NTXprotect and the fully managed service, NTXsecure, it protects your network against command-and-control malware, phishing, botnets, cryptomining, data exfiltration and more.